An explosive, but unverified, memo on Donald Trump alleged the FSB has “cracked” Telegram. This is how the spies might be doing it.

A 35-page leaked report on President-elect Donald Trump makes a series of explosive—and mostly unverified—claims, including the fact that the Russian government can blackmail the former reality TV-star with compromising and embarrassing information, such as a tape of Trump watching a group of prostitutes performing a "golden shower" on the bed of a fancy Moscow hotel.

The report, which was first published by BuzzFeed News on Tuesday evening, also alleges that Russian intelligence service FSB, the successor of the KGB, have "cracked" Telegram, a messaging app that markets itself as secure, private, and encrypted.

"His/her understanding was that the FSB now successfully had cracked this communications software and therefore it was no longer secure to use," wrote the author of the report, referring to claims allegedly made by "an FSB cyber operative."

A screenshot of the paragraph in the leaked report that talks about Telegram.

Telegram was founded by Russian entrepreneur Pavel Durov, and has become a popular alternative to other apps like WhatsApp or Signal, especially in countries like Russia or Iran. The app markets itself as a secure, encrypted app, but end-to-end encryption is not enabled by default (users have to open a "Secret Chat" to turn it on) and security researchers and cryptography experts have repeatedlyquestioned the app's security. Moreover, Iran's government was allegedly able to compromise dozens of Telegram accounts last year.

The report, penned by someone who claims to be a former British spy, doesn't provide any details on how the FSB might have cracked the app—those seven lines are all the report says about Telegram. So it's unclear what it means exactly by "cracked."

Durov challenged the veracity of the report in a message to Motherboard.

"I personally think the report is fake," Durov told me in a Telegram message. "But if it is not, it probably refers to the story on SMS interception by FSB in April 2016."

"I personally think the report is fake."

In that case, Russian cellphone operator MTS allegedly helped Vladimir Putin's government take over the Telegram account of at least two activists, as explained in this detailed technical analysis. The attackers didn't attack Telegram itself, but took over the victims' accounts by disabling their cellphone service, taking over their number, and logging in pretending to be the victim.

Without 2FA, however, the FSB (and your own government's unfriendly spy agency), can still do this attack, as nothing has changed in the Telegram app since reports of these kind of attacks surfaced publicly. And given that cryptographers are still finding flaws in Telegram's security, perhaps the FSB has found another way to crack or hack into some accounts, or intercept messages.

The Russian Embassy in Washington D.C. did not immediately respond to a request for comment.